<html>
<head><meta charset="utf-8"><title>RustSec CI breakage · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html">RustSec CI breakage</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="239761217"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239761217" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239761217">(May 21 2021 at 14:37)</a>:</h4>
<p>So, RustSec advisory DB CI is broken because <a href="http://crates.io">crates.io</a> API has removed some field we don't use anyway.<br>
The issue originates in <code>crates_io_api</code> crate, but updating that is non-trivial because the fix is only present in semver-incompatible versions.<br>
I am kinda pissed about the whole situation because not only it's blocking the advisory assignment, it's also blocking my development work.<br>
So, I'm going to take the nuclear option - ditch the <code>crates_io_api</code> crate. It is prone to such breakage in the future, and is very bloated - it pulls in <code>reqwest</code> which it should not have done in the first place, <code>async</code> for an API rate-limited to 1 request per second is <strong>ridiculous.</strong> <br>
Instead I'm gonna write a very small wrapper over <a href="http://crates.io">crates.io</a> API using <code>ureq</code> that does just enough for our purposes and is not going to break in this manner in the future. I have already done this for <code>cargo supply-chain</code> so it should be a cakewalk.<br>
<span class="user-mention" data-user-id="132721">@Tony Arcieri</span> thoughts?</p>



<a name="239762609"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239762609" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239762609">(May 21 2021 at 14:47)</a>:</h4>
<p>uh, just to make sure</p>



<a name="239762683"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239762683" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239762683">(May 21 2021 at 14:47)</a>:</h4>
<p>do you mean the breakage happened on <a href="https://crates.io/crates/crates_io_api">https://crates.io/crates/crates_io_api</a> or on the <a href="http://crates.io">crates.io</a> api itself?</p>



<a name="239763390"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239763390" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239763390">(May 21 2021 at 14:52)</a>:</h4>
<p><span class="user-mention" data-user-id="121055">@Pietro Albini</span> AFAIK <a href="http://crates.io">crates.io</a> API itself, see <a href="https://github.com/theduke/crates_io_api/issues/30">https://github.com/theduke/crates_io_api/issues/30</a></p>



<a name="239763518"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239763518" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239763518">(May 21 2021 at 14:53)</a>:</h4>
<p>oh that's the RFC removing the authors field</p>



<a name="239763533"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239763533" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239763533">(May 21 2021 at 14:53)</a>:</h4>
<p>let me check a thing</p>



<a name="239763892"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239763892" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239763892">(May 21 2021 at 14:56)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> the <code>/authors</code> endpoint is still present for backward compat and returns an empty list</p>



<a name="239763920"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239763920" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239763920">(May 21 2021 at 14:56)</a>:</h4>
<p>if you want I'd gladly deploy a revert of this part of this PR: <a href="https://github.com/rust-lang/crates.io/pull/3549/files#diff-7097826b14751e17e4c05c8e260d7d67776bcd35b0ce6537638ed0dac16b592cR624-R737">https://github.com/rust-lang/crates.io/pull/3549/files#diff-7097826b14751e17e4c05c8e260d7d67776bcd35b0ce6537638ed0dac16b592cR624-R737</a></p>



<a name="239764121"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239764121" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239764121">(May 21 2021 at 14:57)</a>:</h4>
<p>sorry for the breakage, I missed that would've been a breaking change during review</p>



<a name="239764131"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239764131" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239764131">(May 21 2021 at 14:57)</a>:</h4>
<p><span class="user-mention" data-user-id="121055">@Pietro Albini</span> field test have determined that not to be the case. Many (or all?) consumers of <code>crates_io_api</code> crate broke a few days ago. The patch shipped in 0.7.1 of <code>crates_io_api</code> is literally making the field non-mandatory and just returning an empty list.</p>



<a name="239764753"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239764753" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239764753">(May 21 2021 at 15:01)</a>:</h4>
<p>I'd be happy not to be forced to upgrade right this instant, but I'm probably going to purge <code>crates_io_api</code> from my deps anyway just on principle</p>



<a name="239769308"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239769308" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239769308">(May 21 2021 at 15:30)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage/near/239764131">said</a>:</p>
<blockquote>
<p><span class="user-mention silent" data-user-id="121055">Pietro Albini</span> field test have determined that not to be the case. Many (or all?) consumers of <code>crates_io_api</code> crate broke a few days ago. The patch shipped in 0.7.1 of <code>crates_io_api</code> is literally making the field non-mandatory and just returning an empty list.</p>
</blockquote>
<p>hmm, my understanding is that:</p>
<ul>
<li><code>/api/v1/crates/{crate}/{version}/authors</code> is still working and returns an empty list</li>
<li>the <code>authors</code> link in other responses was accidentally removed causing the breakage</li>
</ul>



<a name="239771559"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239771559" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239771559">(May 21 2021 at 15:45)</a>:</h4>
<p>Yes, that sounds correct. I'm sorry if I've misled you</p>



<a name="239771680"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239771680" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239771680">(May 21 2021 at 15:46)</a>:</h4>
<p>no worries <span aria-label="smile" class="emoji emoji-1f642" role="img" title="smile">:smile:</span></p>



<a name="239771708"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239771708" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239771708">(May 21 2021 at 15:46)</a>:</h4>
<p>I don't have the time to write a PR unfortunately, but I'd be happy to review one</p>



<a name="239771727"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239771727" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239771727">(May 21 2021 at 15:46)</a>:</h4>
<p>it should just be a revert of those changes if you're interested</p>



<a name="239772696"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239772696" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239772696">(May 21 2021 at 15:52)</a>:</h4>
<p>Probably not today, but I'll report an issue at least.</p>



<a name="239773681"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239773681" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239773681">(May 21 2021 at 15:59)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage/near/239761217">said</a>:</p>
<blockquote>
<p>So, I'm going to take the nuclear option - ditch the <code>crates_io_api</code> crate. It is prone to such breakage in the future, and is very bloated - it pulls in <code>reqwest</code> which it should not have done in the first place, <code>async</code> for an API rate-limited to 1 request per second is <strong>ridiculous.</strong> <br>
Instead I'm gonna write a very small wrapper over <a href="http://crates.io">crates.io</a> API using <code>ureq</code> that does just enough for our purposes and is not going to break in this manner in the future. I have already done this for <code>cargo supply-chain</code> so it should be a cakewalk.<br>
<span class="user-mention silent" data-user-id="132721">Tony Arcieri</span> thoughts?</p>
</blockquote>
<p>I've been thinking about removing it anyway, so go for it</p>



<a name="239773712"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239773712" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239773712">(May 21 2021 at 15:59)</a>:</h4>
<p>oh hey you already did</p>



<a name="239774130"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239774130" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239774130">(May 21 2021 at 16:02)</a>:</h4>
<p>Yup, PR's up: <a href="https://github.com/RustSec/rustsec/pull/371">https://github.com/RustSec/rustsec/pull/371</a></p>



<a name="239774187"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239774187" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239774187">(May 21 2021 at 16:02)</a>:</h4>
<p>Left a comment explaining one of your TODOs, otherwise it lgtm</p>



<a name="239774506"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239774506" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239774506">(May 21 2021 at 16:04)</a>:</h4>
<p>Great, fixed! Pleasure working with you <span aria-label="hug" class="emoji emoji-1f917" role="img" title="hug">:hug:</span></p>



<a name="239781678"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239781678" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239781678">(May 21 2021 at 16:56)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> just waiting on you to merge and publish. Also I'd appreciate if you could weigh in on bundled vs host certs, it's an easy thing to toggle either way</p>



<a name="239781839"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239781839" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239781839">(May 21 2021 at 16:58)</a>:</h4>
<p>I'm kinda busy right now, and I'm not sure what you're referring to with bundled versus host certs. Using the local root certificate trust store? I generally prefer that yeah, but for rustsec-admin talking to <a href="http://crates.io">crates.io</a> I'm not really sure it matters</p>



<a name="239782525"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239782525" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239782525">(May 21 2021 at 17:03)</a>:</h4>
<p>Yeah, exactly that. It's either <code>webpki-roots</code> crate effectively hardcoded in the binary, or using the certs installed in the OS. I'll go ahead and switch to OS certificates then.</p>



<a name="239783160"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239783160" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239783160">(May 21 2021 at 17:07)</a>:</h4>
<p>I'd say go ahead and merge your PR to get stuff unblocked. Conceptually it sounds fine and I don't have time to review it right now</p>



<a name="239785372"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239785372" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239785372">(May 21 2021 at 17:24)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> merged. You're the sole owner of the crate though, could you bump version and publish to <a href="http://crates.io">crates.io</a>?</p>



<a name="239785480"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239785480" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239785480">(May 21 2021 at 17:25)</a>:</h4>
<p>yeah, gimme a bit</p>



<a name="239787658"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239787658" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239787658">(May 21 2021 at 17:41)</a>:</h4>
<p>PR for using <a href="http://crates.io">crates.io</a> index instead of API queries is up: <a href="https://github.com/RustSec/rustsec/pull/372">https://github.com/RustSec/rustsec/pull/372</a></p>



<a name="239819884"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239819884" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239819884">(May 21 2021 at 22:18)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> PR using the <a href="http://crates.io">crates.io</a> index repo instead of API calls seems to be good to go, so it's up to you whether you want to publish the interim solution with <code>ureq</code> or go straight for the index</p>



<a name="239820274"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239820274" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239820274">(May 21 2021 at 22:23)</a>:</h4>
<p>using <code>crates-index</code> sounds great to me as it’s already a dependency of <code>rustsec</code> so it cuts down on the overall number of dependencies quite a bit</p>



<a name="239820839"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239820839" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239820839">(May 21 2021 at 22:29)</a>:</h4>
<p>All right, then merge and publish it whenever you're ready.</p>



<a name="239820914"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239820914" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239820914">(May 21 2021 at 22:30)</a>:</h4>
<p>The impact on metrics is not that large - it removes 6 publishers from the supply chain (161 vs 167) and makes almost no difference in the amount of unsafe code.</p>



<a name="239820989"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239820989" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239820989">(May 21 2021 at 22:31)</a>:</h4>
<p>Hmm, I wonder how gitoxide is doing and whether it's a good idea to use it in place if libgit2. That in turn might unlock <code>rustls</code> for TLS in <code>cargo-audit</code></p>



<a name="239821161"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239821161" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239821161">(May 21 2021 at 22:33)</a>:</h4>
<p>Hmm, doesn't seem to support <code>clone</code> yet.</p>



<a name="239821788"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239821788" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239821788">(May 21 2021 at 22:41)</a>:</h4>
<p>Aww, <code>gitoxide</code> uses <code>curl</code> internally so it's OpenSSL either way <span aria-label="disappointed" class="emoji emoji-1f61e" role="img" title="disappointed">:disappointed:</span></p>



<a name="239822469"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239822469" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239822469">(May 21 2021 at 22:49)</a>:</h4>
<p>Soon enough curl will support rustls for TLS :-)</p>



<a name="239826604"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239826604" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239826604">(May 21 2021 at 23:43)</a>:</h4>
<p>They aren't using any async anyway so using <code>curl</code> is a waste. <code>attohttpc</code> will do fine. <code>ureq</code> too, if they get around to bringing back native-tls support</p>



<a name="239872640"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239872640" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239872640">(May 22 2021 at 13:23)</a>:</h4>
<p>Another PR is up: <a href="https://github.com/RustSec/rustsec/pull/373">https://github.com/RustSec/rustsec/pull/373</a><br>
This gets all crate versions and then lists which ones are affected by a given advisory. This is something I want to have if I end up changing the version matching logic so that I could compare the before and after to spot any regressions.<br>
This also enables an interesting use case: we could get a bot to post a list of versions matched by the advisory on any new advisory PR. This makes it easier for submitters to verify that their range specification is doing what they intended.</p>



<a name="239876197"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239876197" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239876197">(May 22 2021 at 14:24)</a>:</h4>
<p>hmm oh joy, I forgot to reset the button to squash and merge</p>



<a name="239876429"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239876429" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239876429">(May 22 2021 at 14:28)</a>:</h4>
<p>or it is on? huh</p>



<a name="239903023"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20CI%20breakage/near/239903023" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20CI.20breakage.html#239903023">(May 22 2021 at 21:57)</a>:</h4>
<p>For the record, CI is fixed, and the advisory backlog has been cleared. Thanks to Tony for taking care of it.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>